The secure Challenge-Response Authentication Mechanism (CRAM-MD5) avoids passing a cleartext password over the network when you access your email account, ensuring that your login details cannot be captured and used by anyone in transit.

Instead of sending your account password as cleartext, some email clients (notably SecureBat! from RitLabs) can send a non-reversible message digest (computed from the password and a challenge string received from the server to authenticate your access to the mail server. This message digest is computed using the MD5 cryptographic hash function, as defined in the HMAC (Keyed-Hashing) standard (RFC-2104).

Even if this message digest is exposed during authentication, there is no long-term risk to the account, as the message digest can only be used to authenticate once, and a new message digest will need to be generated the next time authentication is required, based on a new challenge sent by the server and the secret password known only to the owner of the account.

Neomailbox provides complete support for CRAM-MD5 authentication both for sending mail through SMTP as well as for receiving email over POP3 and IMAP. Of-course, if you use SSL encryption, your account access details are protected by SSL anyway, but CRAM-MD5 authentication may still be of use to you, in conjunction with a hardware token.

Hardware Authentication

When you choose the option to "Store password on iKey" in SecureBat!, this will activate a hardware implementation of the CRAM-HMAC Challenge/Response (RFC-2095) authentication. A special non-replicable hardware token, iKey by Rainbow Technologies, is used to store the password and to produce Keyed Hashing.

The token is small and lightweight, making it easy to carry on a key chain. When this authentication mechanism is chosen, the password cannot be extracted from the token and it is never transferred into the computer where the email client is running.

This way, no software (including Spies / Trojan Horses / Viruses) can intercept or otherwise retrieve the password, even if you access your email account from a computer that contains any number of such malicious programs.

SecureBat! Pro

SecureBat! Pro is an email client from RitLabs which offers all of the features of their popular email software The Bat! along with secure authentication on POP3/SMTP servers using hardware tokens, and transparent, on-the-fly encryption of the email message base, address books and configuration files.

This can keep the sensitive data stored on your mobile and desktop computers very secure.

SecureBat! Pro also provides a number of other important security features, including on-the-fly encryption of all locally-stored data and OpenPGP or S/MIME encryption to protect messages in transit. A partial list of SecureBat! security features includes:

• Works with Aladdin eToken Pro or Rainbow iKey1000 tokens
• Unencrypted files never appear on disk
• On-the-fly encryption with no noticeable delays
• Support for all PGP versions from 2.6x through 8
• Support for S/MIME with X.509 certificates
• Hardware RSA key generation, signing and decryption for S/MIME
• Guarantee that only authorized users can access their email accounts
• Hardware implementation of CRAM-HMAC-MD5 authentication
• Passwords to an email account cannot be exposed at the client side
• Use email in those areas where it could not be used previously
• Import message bases from all major email clients
• Features for managing email quickly and easily...

We heartily recommend SecureBat! Pro as the most secure email program available for Windows platforms.